CASE STUDY WEBINAR: Join Pfizer’s Keith Lichtenwalner to hear how he built a strategic, highly automated and scalable third-party risk management program.

The California Consumer Privacy Act (CCPA): What It Means for Third-Party Risk Management

by Daryan Ver Ploeg, Threat Analyst

June 18th, 2019

I

Imagine a scenario for a moment: Your boss walks into your office and asks, “What are we doing to get ready for CCPA?” Would you have a concrete answer to this question? What steps have you and your team taken in the last month? Three months? How about in the year since the law was passed?

Most of us in the cybersecurity and compliance spheres know that California’s new consumer privacy legislation, the California Consumer Privacy Act (or CCPA), will go into effect on January 1, 2020. What some may not know, however, is that the CCPA’s regulations have a 12-month “look back” period, meaning the consumer data you are collecting today will be subject to CCPA rules, restrictions, and—potentially—litigation.

So, when your boss walks into your office and asks, “What are we doing to get ready for CCPA?”, the answer better not be, “That’s still six months away.” Now is the time to establish procedures, update or create a new data inventory, and coordinate with your third parties to ensure CCPA compliance. Not next year—now. In this blog I will review the core third-party requirements in the CCPA and identify steps you can take to address those requirements.

So, What Exactly Is the CCPA? Who Does It Apply To?

The California Consumer Privacy Act was signed into law by Governor Jerry Brown on June 28, 2018. The law aims to enhance privacy rights and consumer protection by regulating businesses’ collection and sale of consumer data. The law establishes the rights of both the California Attorney General and private California residents to take legal action against businesses if they fail to comply.

While the CCPA is technically California state law, its reach will be felt far beyond the borders of the Golden State. This outsized impact is due to the nature of the law itself; CCPA oversight is not limited to businesses headquartered in California, or even to businesses physically operating in California—the CCPA applies to consumer data collected from any resident of California. Given the fact that California is home to about 40 million people and would be the 5th largest economy in the world if it was its own country, the odds are good that if your business is collecting consumer data, you have collected the data of a California resident.

Due to the fluid nature of state residency in the United States, and the massive undertaking involved in tracking the residency of each and every consumer from whom you collect data, some firms are making the decision to treat every consumer as if they were a California resident, and are therefore preparing for blanket CCPA compliance across their businesses. But while these internal preparations are important, ensuring your own business’s compliance is not enough—you also need to ensure that your relationships with third parties fall in line with the CCPA.

The CCPA and Third Parties

Not only does the CCPA regulate the scope and storage of consumer data by your business, it also sets restrictions on your business’s ability to sell that data to third parties.

Section 1798.140(w) of the law defines third parties in the negative, as any party that is not the business, an individual contractually allowed to use the data, or a service provider (as defined by the CCPA). Some notable CCPA regulations on third parties include:

  • 1798.115(d) – “A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to 1798.120.”
  • 1798.120(a) – “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.”
  • 1798.120(b) – “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.”

The obligation for your business to provide explicit notice of sales and give consumers a chance to opt out, coupled with the restrictions on third parties to resell that info without doing the same, only emphasizes the need for your business to be able to identify which of your third parties are currently buying or utilizing your consumers’ data. Only once your business has identified the third parties to which you sell consumer data can you begin to take steps to ensure CCPA compliance, such as updating your legal agreements with the third party or opening channels of communication in case of a breach.

How Prevalent Can Help

Prevalent provides businesses with a comprehensive suite of solutions to manage your third-party relationships. Our unified platform makes it easy to track the progress of assessments and compliance questionnaires. Relationship mapping capabilities in the platform (see screenshot below) help organizations to clearly see the relationships among their third parties. So, if a third-party suffers a breach involving consumer information, you can quickly see what other vendors interact with that third-party and begin remediation actions as necessary. Prevalent’s built-in communication tools facilitate this remediation and help you follow up on compliance issues, revisit contract language, and trigger new assessments.

Relationship Mapping

Delivered in the simplicity of a secure cloud, the Prevalent platform unifies automated vendor assessments, continuous threat monitoring, and evidence sharing – all backed by expert advisory and consulting services to optimize your risk management program. If you are looking to gauge your organization’s third-party risk management maturity, or want help designing a program to improve vendor security and to determine compliance with data privacy requirements, please contact us today.